add scram-sha-256 support

[fe80]

Hi,

Since pg 14, scram-sha-256 is the default encryption method. I've change the postgresql_password for support the new encoding methods and change in postgresql::server::role for use this function. The default methods of the function still md5, but that create a breaking (encode doesn't have default value on my code)

I've set the username as salt chain per default.

I've test and validate on postgresql14

This PR include #1132

Regards,

[puppet-community-rangefinder]

postgresql::postgresql_password is a function

that may have no external impact to Forge modules.

postgresql::server::role is a type

that may have no external impact to Forge modules.

This module is declared in 70 of 578 indexed public Puppetfiles.

---

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

[CLAassistant]

All committers have signed the CLA.

[ekohl]

I must admit I'm not that familiar with SCRAM-SHA-256, but it looks ok to me.

[ekohl]

It looks like there were various Rubocop violations and somehow it didn't fail on those. In #1311 I've tried to fix it, but I'm not sure about the different values that my system returns. Could it be that the hash is Ruby version dependent?

[ekohl]

The nil parameter gives an error for me:

expected postgresql_password("foo", "bar", nil, "scram-sha-256", "salt") to have returned "SCRAM-SHA-256$4096:c2FsdA==$zOt2zFfUQMbpQf3/vRnYB33QDK/L7APOBHniLy39j/4=:DcW5Jp8Do7wYhVp1f9aT0cyhUfzIAozGcvzXZj+M3YI=" instead of raising ArgumentError('postgresql::postgresql_password' parameter 'sensitive' expects a Boolean value, got Undef)

[fe80]

Hello,

Effectively postgresql_password have a mandatory boolean on 3 positions, I don't understand why it's work on my ci (I'm a beginner with puppet functions),

That should be like you say here #1313 (comment)

irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> require 'base64'
=> true
irb(main):003:0>   def pg_sha256(password, salt)
    digest = digest_key(password, salt)
    'SCRAM-SHA-256$%s:%s$%s:%s' % [
      '4096',
      Base64.strict_encode64(salt),
      Base64.strict_encode64(client_key(digest)),
      Base64.strict_encode64(server_key(digest))
    ]
  end

  def digest_key(password, salt)
    OpenSSL::KDF.pbkdf2_hmac(
      password,
      salt: salt,
      iterations: 4096,
      length: 32,
      hash: OpenSSL::Digest::SHA256.new
    )
  end

  def client_key(digest_key)
    hmac = OpenSSL::HMAC.new(digest_key, OpenSSL::Digest::SHA256.new)
    hmac << 'Client Key'
    hmac.digest
    OpenSSL::Digest.new('SHA256').digest hmac.digest
  end

  def server_key(digest_key)
    hmac = OpenSSL::HMAC.new(digest_key, OpenSSL::Digest::SHA256.new)
    hmac << 'Server Key'
    hmac.digest
  end
=> :pg_sha256
=> :digest_key
=> :client_key
=> :server_key
irb(main):036:0> pg_sha256('bar', 'foo')
=> "SCRAM-SHA-256$4096:Zm9v$ea66ynZ8cS9Ty4ZkEYicwC72StsKLSwjcXIXKMgepTk=:dJYmOU6BMCaWkQOB3lrXH9OAF3lW2n3NJ26NO7Srq7U="

[fe80]

Do you want I try to fix this on a new PR ?

[ekohl]

Please do. I just merged a PR which already fixed some Rubocop failures so be sure to base it on the latest commit.

[ekohl]

On my local system I'm getting a different value:

expected postgresql_password("foo", "bar", false, "scram-sha-256") to have returned "SCRAM-SHA-256$4096:YmFy$y1VOaTvvs4V3OECvMzre9FtgCZClGuBLVE6sNPsTKbs=:HwFqmSKbihSyHMqkhufOy++cWCFIoTRSg8y6YgeALzE=" instead of "SCRAM-SHA-256$4096:Zm9v$ea66ynZ8cS9Ty4ZkEYicwC72StsKLSwjcXIXKMgepTk=:dJYmOU6BMCaWkQOB3lrXH9OAF3lW2n3NJ26NO7Srq7U="

[Neustradamus]

@fe80: Good job!

Linked to:

• State of Play scram-sasl/info#1